How to use DHeapMon.exe to troubleshoot Desktop Heap issues

The other day I had to troubleshoot an issue with a process that a specific Windows service was trying to launch without success. We could see with a debugger (i.e. WinDbg) that the new process was actually being created but it exited before we even got to its main function.

This may be a typical Desktop Heap issue. I won't explain Desktop Heap here. We already have a great overview on this topic: Desktop Heap Overview. They also explain how to troubleshoot this kind of issues with DHeapMon tool. You should read this article before you continue reading this post.

If everything is explained in previous link, why do I write this post? Well, they don't explain in detail how to configure and use DHeapMon, and it took me a while to figure this out. I hope this saves you some time.

Note: We'll need win32k.sys correct symbols to be able to setup DHeapMon.

2) Load symbols for win32k.sys:

symchk c:\windows\system32\win32k.sys /v

Note: The symbols we need will be copied to c:\symbols.

3) Install DHeapMon driver:

dheapinst -y c:\symbols

4) Start DHeapMon driver:

dheapmon.exe -l

5) Get DHeapMon output:

5.1) For current user session:

dheapmon.exe

5.2) For session 0 (Windows services):

at 13:12 c:\path_to_dheapmon\dheapmon.exe -f c:\result.txt

Note: To access session 0 information we need to run DHeapMon under a high priviledged account in the Windows services world. A trick to do that is to launch the tool as an scheduled task with an AT command. This way DHeapMon will be running (by default) as System in the same session as the other services. We print the output to a .txt file because the tool will be running in an invisible desktop.

Alex, thanks for this great article. I keep it on my list of items to mail to other developers.

I’ve faced a problem with dheapmon since about June, though — it will no longer install or load. I’ve followed your instructions several times, read the dheapmon docs, tried googling, tried troubleshooting with procmon, and haven’t found how to get around this issue.

I get an error "Dheapmon – Software is not installed or Driver is not running (1012)" when I try to load the appropriate dheapmon driver. I try to install the correct driver again, and I get "Driver Installation error occured (3)" whenever I try to run dheapinst or dheapinst with my correct pdb symbols.

I haven’t found any help on this error "Driver Installation error occured (3)". Have you faced it?